Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp658677pxb;
        Sun, 10 Oct 2021 07:57:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyx3ingJv/UD61nYA/SUEh3dhtSsltTnc0t7lFWUwBLN1KnOjlLBe89lannIaj+6+ovlxYC
X-Received: by 2002:a17:902:ea0a:b0:13e:8b24:b94 with SMTP id s10-20020a170902ea0a00b0013e8b240b94mr19617664plg.45.1633877828894;
        Sun, 10 Oct 2021 07:57:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1633877828; cv=none;
        d=google.com; s=arc-20160816;
        b=ofm0y8gMNUxTIgb/o8+ZvpEsn5bmnCTlRyE6INDd1FcmBdY8ARQEm7UFngoe310j/q
         Q/2tmwz2T2N3fX/9aduus6kts7Ot6KiO7GUyYkWSR1xR11ivZ6kzv/dx0FFCcGz4B3/5
         7Qdpezmly2tgD8crnasOCePTjvcXjpZHYgeW9XysC/b2MwGTNQGDGWp0mQDudjSIpC1Y
         Xtz52bxhmHTj9yiEftYncS1jiRAekNIKY7tbAj1C9GQLl2O2nOhGSZjRnGEHGnXwaNt2
         HDIToNAuFDnZQK0hWEsQej75SqYp11r53mGU41CCiGfhuTXUAN2bIpPGU7huoXfbeHcP
         D5LA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:in-reply-to:date:references:subject:cc:to:from;
        bh=dnTPcnb8866jEPlnB8xjIaIre7XkvDRUN8nH30xVTJ8=;
        b=Z16yvoDbbSbkST9L+B3Nm/c7v/M3Ns2lcWVVqhZTLZGumm6r6Qj7P6oEltrZ883rUV
         kVbw/eFkqEyWwsgHE4d9envp88xSgvxJTsETT5UjfF3UC1DGzr3tMFz2hrJRHnKNIfxX
         pe4DJot2mX4MQDuOzhVpC/8KWOlUmOv97elRyoBVcEYo8cHRy83ENwLyfV83+1iOX32i
         pAsB5b48cB9akrrQh6POsfSbRdcy+AQoMQX/3wN/rCTF0dSEgbPl/n4/9tKLyQRATNPq
         2r+H4sluPkm9kXzScSuDisTREe5SJJ1Q0FtgAJ80z5Hmg+Qii3szRZ4m0DB6+hQjcMVm
         zoFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x14si6655023pjn.23.2021.10.10.07.56.56;
        Sun, 10 Oct 2021 07:57:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232915AbhJJONG convert rfc822-to-8bit (ORCPT
        <rfc822;makotox8664@gmail.com> + 99 others);
        Sun, 10 Oct 2021 10:13:06 -0400
Received: from albireo.enyo.de ([37.24.231.21]:55448 "EHLO albireo.enyo.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231816AbhJJONE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Oct 2021 10:13:04 -0400
Received: from [172.17.203.2] (port=48075 helo=deneb.enyo.de)
        by albireo.enyo.de ([172.17.140.2]) with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
        id 1mZZWh-0005qE-Ez; Sun, 10 Oct 2021 14:10:07 +0000
Received: from fw by deneb.enyo.de with local (Exim 4.94.2)
        (envelope-from <fw@deneb.enyo.de>)
        id 1mZZWh-0006hy-5Z; Sun, 10 Oct 2021 16:10:07 +0200
From:   Florian Weimer <fw@deneb.enyo.de>
To:     =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Christian Heimes <christian@python.org>,
        Deven Bowers <deven.desai@linux.microsoft.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Eric Chiang <ericchiang@google.com>,
        Geert Uytterhoeven <geert@linux-m68k.org>,
        James Morris <jmorris@namei.org>, Jan Kara <jack@suse.cz>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
        "Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
        Matthew Garrett <mjg59@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Paul Moore <paul@paul-moore.com>,
        Philippe =?iso-8859-1?Q?Tr=E9buchet?= 
        <philippe.trebuchet@ssi.gouv.fr>,
        Scott Shell <scottsh@microsoft.com>,
        Shuah Khan <shuah@kernel.org>,
        Steve Dower <steve.dower@python.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
        Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
        kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        =?iso-8859-1?Q?Micka=EBl_Sala=FC?= =?iso-8859-1?Q?n?= 
        <mic@linux.microsoft.com>
Subject: Re: [PATCH v14 1/3] fs: Add trusted_for(2) syscall implementation
 and related sysctl
References: <20211008104840.1733385-1-mic@digikod.net>
        <20211008104840.1733385-2-mic@digikod.net>
Date:   Sun, 10 Oct 2021 16:10:07 +0200
In-Reply-To: <20211008104840.1733385-2-mic@digikod.net>
 (=?iso-8859-1?Q?=22Micka=EBl_Sala=FCn=22's?=
        message of "Fri, 8 Oct 2021 12:48:38 +0200")
Message-ID: <87tuhpynr4.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

* Micka?l Sala?n:

> Being able to restrict execution also enables to protect the kernel by
> restricting arbitrary syscalls that an attacker could perform with a
> crafted binary or certain script languages.  It also improves multilevel
> isolation by reducing the ability of an attacker to use side channels
> with specific code.  These restrictions can natively be enforced for ELF
> binaries (with the noexec mount option) but require this kernel
> extension to properly handle scripts (e.g. Python, Perl).  To get a
> consistent execution policy, additional memory restrictions should also
> be enforced (e.g. thanks to SELinux).

One example I have come across recently is that code which can be
safely loaded as a Perl module is definitely not a no-op as a shell
script: it downloads code and executes it, apparently over an
untrusted network connection and without signature checking.

Maybe in the IMA world, the expectation is that such ambiguous code
would not be signed in the first place, but general-purpose
distributions are heading in a different direction with
across-the-board signing:

  Signed RPM Contents
  <https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents>

So I wonder if we need additional context information for a potential
LSM to identify the intended use case.